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TITLE OF THE INVENTION 

COMMUNICATION CONTROL APPARATUS, FIREWALL APPARATUS, 
AND DATA COMMUNICATION METHOD 
BACKGROUND OF THE INVENTION 
5 Field of the Invention 

[0001] 

The present invention relates to a communication 
control apparatus, a firewall apparatus, a communication 
control system, and a data communication method, 
10 Related Background Art 

[0002] 

Mobile IPv6, which is the conventional technology of 
permitting a mobile station such as a cell phone or the liJce 
to use the same IP (Internet Protocol) address, regardless 

15 of its movement, is under investigation by IETF (Internet 

Engineering Task Force) . Mobile IPv6 is implemented by 
mobile IP terminals as mobile stations and a home agent. 
A packet with the destination address being a permanent IP 
address (home address) of a mobile IP terminal is transmitted 

20 according to the normal IP procedure and thereafter arrives 

at a link of the home agent. This causes the home agent to 
receive the packet addressed to the home address. 
[0003] 

The mobile IP terminal, as moving, is connected to a 
25 new node after movement and acquires. a care-of (c/o) address 

being a temporary IP address, using the existing stateless 
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address autoconf iguration (RFC2462) or stateful address 
autoconf iguration (DHCP: Dynamic Host Configuration 
Protocol) . The mobile IP terminal registers this c/o address 
with the home agent. 
5 [0004] 

There are two methods for the mobile IP terminal to 
communicate with another terminal: a bidirectional tunnel 
mode and a route optimization mode. In the bidirectional 
tunnel mode, a tunnel is generated between the mobile IP 

10 terminal and the home agent. The tunnel is a technique of 

putting an original IP packet in another IP packet and 
transmitting it, thereby carrying the packet in an arbitrary 
route, regardless of the source IP address and destination 
IP address of the original IP packet, as disclosed in RFC2473 . 

15 [0005] 

When the mobile IP terminal transmits an IP packet to 
another terminal, this IP packet is first transmitted via 
the tunnel to the home agent. The home agent takes the IP 
packet out of the tunnel and thereafter sends the IP packet 

20 to the other terminal according to the normal IP procedure . 

This allows the IP packet to reach the other terminal. 
Conversely, when the other terminal transmits an IP packet 
to the mobile IP terminal, the IP packet arrives at the home 
agent according to the normal IP procedure. Thereafter, the 

25 home agent puts this IP packet into a tunnel and sends it 

to the mobile IP terminal. 
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[0006] 

In contrast to it, in the route optimization mode the 
mobile IP terminal notifies the other terminal of its IP 
address, prior to transmission of an IP packet. If the other 
5 terminal transmits an IP packet to the mobile IP terminal 

in the bidirectional tunnel mode, the mobile IP terminal 
will transmit a c/o address of its own to the other terminal, 
in order to switch the mode into the route optimization mode . 
[0007] 

10 In the route optimization mode, when the mobile IP 

terminal transmits an IP packet to another terminal, this 
IP packet is transmitted directly (without intermediation 
of a tunnel) from the mobile IP terminal to the other terminal . 
At this time, the c/o address is set in the source address 

15 of the IP packet, and the home address in the home address 

option in the IP packet. 
[0008] 

On the other hand, when the other terminal transmits 
an IP packet to the mobile IP terminal, the IP packet is 

20 provided with a routing header, and the IP packet is 

transmitted directly (without intermediation of a tunnel) 
from the other terminal to the mobile IP terminal. The 
routing header is defined by RFC24 60 and is information for 
transmitting a packet via an arbitrary relay point. The c/o 

25 address is set as a first destination (relay point) of the 

IP packet, and the home address as a second destination. 
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[0009] 

In the internal networks such as LANs, a firewall, which 
determines the propriety of passage of data arriving at a 
boundary between networks , in accordance with a predetermined 
5 filtering condition, is located in order to detect and 

interrupt unauthorized accesses from the external networks 
such as the Internet. The firewalls are often provided in 
the software form and used as installed in routers, proxy 
servers, etc., and in certain cases dedicated hardware 
10 devices are also used because of demands for higher 

performance (e.g., cf. Patent Document 1). 
[0010] 

[Patent Docximent 1] Japanese Patent Application 
Laid-open No. 10-70576 
15 SUMMARY OF THE INVENTION 

[0011] 

The firewalls have been used heretofore mainly for the 
purpose of protecting the intra-f irm LANs, because they were 
expensive and hard enough for people other than experts to 

20 operate them because of the need for advanced setup 

technologies, and for the following reasons. Namely, the 
terminals utilizing dial-up connections and the mobile 
stations such as the cell phones are connected to the external 
network at different sites according to circumstances and 

25 purposes, and it is thus difficult to specify appropriate 

and stationary setting locations of the firewalls. Since 
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a terminal utilizing the dial-up connections is assigned 
different IP addresses upon respective connections, the 
filtering condition needs to be changed upon every 
connection, which is not practical. Furthermore, since the 
5 dial-up connections are carried out for periods of short 

connection time, they are at low risk of being exposed to 
attacks from the Internet during the periods of short 
connection time. Therefore, the terminals rarely have 
experienced troubles, even without protection by the 
10 firewalls. 

[0012] 

Moreover, the terminals used by personal users 
increasingly have been used in a mode of full-time connection 
to the external network in recent years, and needs for use 

15 of the firewalls also have been increasing for such terminals . 

However, these terminals, i.e., portable communication 
terminals such as cell phones, notebook computers, etc. 
(which will be referred to hereinafter as "mobile stations" ) , 
are assumed to change their connected node at high frequency 

20 and high speed, and it is thus impossible to apply thereto 

the firewalls whose installation locations are unchanged. 
[0013] 

An object of the present invention is, therefore, to 
enable application of the firewall function to mobile 
25 stations. 

[0014] 
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In order to solve the above problem, a communication 
control apparatus according to the present invention is a 
communication control apparatus for implementing 
transmission and reception of data to and from a plurality 
5 of firewall devices connectible to a mobile station, the 

communication control apparatus comprising: storing means 
for storing firewall configuration information suitable for 
the mobile station, in correspondence with identification 
information of the mobile station; detecting means for 

10 detecting a firewall device connected to the mobile station; 

and transmitting means for, in conjunction with the detection 
of the firewall device connected to the mobile station, 
transmitting the firewall configuration information 
corresponding to the identification information of themobile 

15 station, to the firewall device. 

[0015] 

A data communication method according to the present 
invention is a data communication method in which a 
communication control apparatus comprising storing means 

20 for storing firewall configuration information suitable for 

a mobile station, in correspondence with identification 
information of the mobile station, implements transmission 
and reception of data to and from a plurality of firewall 
devices connectible to the mobile station, the data 

25 communication method comprising: a detecting step wherein 

detecting means of the communication control apparatus 
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detects a firewall device connected to the mobile station; 
and a transmitting step wherein, in conjunction with the 
detection of the firewall device connected to the mobile 
station, transmitting means of the communication control 
5 apparatus transmits the firewall configuration information 

corresponding to the identif icationinformationof themobile 
station, to the firewall device. 
[0016] 

According to these aspects of the invention, in 
10 conjunction with the detection of the firewall device 

connected to the mobile station, the firewall configuration 
information corresponding to the identification information 
of the mobile station is transmitted to the firewall device 
as a point newly connected to the mobile station. This 
15 permits the firewall configuration information suitable for 

the mobile station to be transmitted and set in the firewall 
device connected to the mobile station. 
[0017] 

Therefore, not only in the case where the mobile station 
20 is initially connected to a firewall device, but also in 

the case where themobile stationmoves to change its connected 
firewall device, the firewall configuration information is 
transmitted and set in the firewall device after the change 
of the connected point . Namely, the firewall configuration 
25 information traclcs the movement of themobile station. Since 

the firewall configuration information contains the 
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filtering condition for a packet addressed to the mobile 
station, the propriety of passage {whether to forward or 
to discard) is determined for the above packet arriving at 
the firewall device, according to the filtering condition. 
5 As a consequence, it becomes feasible to apply the appropriate 

firewall function to the mobile station as well. 
[0018] 

A firewall apparatus according to the present invention 
is a firewall apparatus for implementing relaying in 

10 transmission and reception of data between the communication 

control apparatus as set forth, and a plurality of mobile 
stations, the firewall apparatus comprising : retainingmeans 
for retaining a filtering condition included in the firewall 
configuration information, in correspondence with 

15 identification information of each mobile station; 

distinguishing means for distinguishing a mobile station 
being a destination of a packet transmitted from the 
communication control apparatus; and determining means for 
determining the propriety of passage of the packet in 

2 0 accordance with the filtering condition corresponding to 

the mobile station distinguishedby the distinguishingmeans . 
[0019] 

A data communication method according to the present 
invention is a data communication method in which a firewall 
25 apparatus implements relaying in transmission and reception 

of data between the communication control apparatus as set 
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forth, and a plurality of mobile stations, the data 
communication method comprising: a retaining step wherein 
retaining means of the firewall apparatus retains a filtering 
condition included in the firewall configuration 
5 information, in correspondence with identification 

information of each mobile station; a distinguishing step 
wherein distinguishing means of the firewall apparatus 
distinguishes amobile stationbeinga destination of apacket 
transmitted from the communication control apparatus; and 

10 a determining step wherein determining means of the firewall 

apparatus determines the propriety of passage of the packet 
in accordance with the filtering condition corresponding 
to the mobile station distinguished in the distinguishing 
step. 

15 [0020] 

According to these aspects of the invention, after the 
filtering condition included in the firewall configuration 
information is retained in correspondence with the 
identification information of each mobile station, the 

20 distinguishing means distinguishes the mobile station being 

the destination of the packet transmitted from the 
communication control apparatus to the firewall apparatus 
and the determining means determines the propriety of passage 
of the packet in accordance with the filtering condition 

25 corresponding to the mobile station. This permits the 

filtering condition, which is used in determining the 
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propriety of passage of the packet arriving at the firewall 
apparatus, to be properly changed for each mobile station. 
Therefore, the passage propriety determining process is 
prevented from being carried out without necessity, even 
5 for a mobile station that cannot be the destination of the 

packet • As a result, it becomes feasible to suppress increase 
in the transmission delay time of packet to each mobile 
station, even with increase in the number of mobile stations 
using the firewall apparatus. 

10 [0021] 

A communication control system according to the present 
invention is a communication control system comprising the 
communication control apparatus as set forth; and the 
firewall apparatus as set forth, wherein the mobile station 

15 receives a packet to be received, via the firewall apparatus . 

[0022] 

The present invention will become more fully understood 
from the detailed description given herein below and the 
accompanying drawings which are given by way of illustration 
20 only, and thus are not to be considered as limiting the present 

invention. 

Further scope of applicability of thepresent invention 
will become apparent from the detailed description given 
hereinafter. However, it should be understood that the 
25 detailed description and specific examples, while indicating 

preferred embodiments of the invention, are given by way 
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of illustration only, since various changes andmodif ications 
within the spirit and scope of the invention will become 
apparent to those skilled in the art from this detailed 
description. 
5 BRIEF DESCRIPTION OF THE DRAWINGS 

[0023] 

Fig. 1 is an illustration showing the overall 
configuration of the communication control system. 

Fig. 2 is a block diagram showing the functional 
10 configuration of the home agent apparatus. 

Fig. 3 is a block diagram showing the functional 
configuration of the firewall apparatus. 

Fig. 4 is a flowchart for explaining the firewall 
construction processing in the first embodiment. 
15 Fig. 5 is a flowchart for explaining the IP packet 

filtering processing. 

Fig. 6 is a flowchart for explaining the firewall 
construction processing in the second embodiment. 

Fig. 7 is a flowchart for explaining the firewall 
20 construction processing in the third embodiment. 

Fig. 8 is a flowchart for explaining the firewall 
construction processing in the fourth embodiment. 

Fig. 9 is a flowchart for explaining the firewall 
construction processing in the fifth embodiment. 
25 DESCRIPTION OF THE PREFERRED EMBODIMENTS 

[0024] 
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First Eiabodiinent j 

The first embodiment of the present invention will be 
described below in detail with reference to the drawings. 
Fig. 1 is an illustration showing the overall 
5 configuration of communication control system 1 according 

to the present invention. As shown in Fig. 1, communication 
control system 1 is comprised of home agent apparatus 10 
(corresponding to the communication control apparatus) , 
three firewall devices 20, 30, 40 (corresponding to the 
10 plurality of firewall devices), and mobile station 50. 

[0025] 

The home agent apparatus 10 and mobile station 50 are 
connected so as to be able to transmit and receive various 
data to and from each other, via at least arbitrary one of 

15 the three firewall devices 20-40. An IP packet transmitted 

through the external network such as the Internet is once 
received by the home agent apparatus 10, and thereafter it 
is relayed by the firewall device 20 located nearest to the 
current location of the mobile station 50, whereby it can 

20 reach the mobile station 50 being the destination of the 

IP packet. 
[0026] 

Fig. 2 is an illustration showing the functional 
configuration of home agent apparatus 10 according to the 
25 present invention. As shown in Fig. 2, the home agent 

apparatus 10 is comprised of configuration file source data 
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storage 11 (corresponding to the storing means) , BU receiver 
12 (corresponding to the detectingmeans) , and configuration 
file transmitter 13 (corresponding to the transmitting 
means) . Each of the components is connected through a bus 
5 so as to be able to receive and send signals according to 

the functions of the respective components. 
[0027] 

Each of the components of the home agent apparatus 10 
will be described below in detail. 

10 The configuration file source data storage 11 stores 

after-described configuration file source data 
(corresponding to the firewall configuration information) 
in correspondence with mobile station identification 
information. The mobile station identification information 

15 is, for example, a home address or a MAC address of each 

mobile station. 
[0028] 

The information described in the configuration file 
source data is, for example, information below. 
20 ® Firewall name 

(D Information necessary for generation of "routing 
criterion for an IP paclcet from the external network" 

(3) Information necessary for generation of "routing 
criterion for an IP paclcet from the mobile station" 
25 ® Information necessary for generation of "access 

control list" 
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[0029] 

Namely, the information of ® is information capable 
of uniquely identifying the configuration contents of the 
firewall and is used when the home agent apparatus 10 deletes 
5 the configuration file source data that already has been 

transmitted or that has been retained over a predetermined 
time from generation thereof* 

The information of (D is information for allowing the 
firewall apparatus to distinguish the mobile station being 
10 the destination of an IP packet transmitted from the external 

network via the home agent apparatus 10. The information 
of (D is described according to necessity. This information 
is, for example, an IP address of mobile station 50, but 
may be one designating a range of destination IP addresses, 
15 without always having to be limited to only one IP address. 

[0030] 

The information of (D is information for allowing the 
firewall apparatus to distinguish the source of an IP packet 
transmitted from the mobile station. This information is, 
20 for example, information for designating either the routing 

criterion based on the source MAC address or the routing 
criterion based on the source IP address, or the MAC address 
in use of the routing criterion based on the MAC address. 
[0031] 

25 The information of (3) is information necessary for 

generation of a well-known, customary access control list 
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containing a description of a filtering condition which is 
used when the firewall apparatus determines the propriety 
of passage of an IP packet. For example, it is information 
for designating a list as a source of the access control 
5 list, and which part on the list should be replaced with 

a c/o address. However, the access control list contains 
the description of the filtering condition used in 
determining the propriety of passage of an IP packet addressed 
to the mobile station distinguished based on the information 

10 of © and but contains no description about the filtering 

conditions for the other mobile stations. This reduces the 
volume of search data in the determination on the propriety 
of passage, so as to speed up the packet filtering process. 
The access control list is described in row units so as to 

15 permit sequential searches from the top row, and contains 

the description of the following items in order from the 
head of each row: "deny" or "permit" indicating the propriety 
of passage of an IP packet, a higher-layer protocol of the 
IP packet, a source address and a source port number of the 

20 IP packet, a destination address and a destination port number 

of the IP packet, and so on. 
[0032] 

The BU receiver 12 receives a Binding Update (BU) being 
a packet for notifying that the mobile station 50 has moved, 
25 from the firewall device 20 after the movement. The BU 

receiver 12 receives this Binding Update, to detect a 
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connection of the mobile station 50 to the firewall device 
(including a change of the connected device), and notifies 
the configuration file transmitter 13 of it. 
[0033] 

5 The configuration file transmitter 13, thus notified 

of the connection of mobile station 50 by the BU receiver 
12, refers to the above Binding Update to identify the mobile 
station connected to the firewall device . The configuration 
file transmitter 13 acquires the identification information 

10 and corresponding configuration file source data of the 

identified mobile station from the configuration file source 
data storage 11 and generates a configuration file based 
on the configuration file source data. The configuration 
file transmitter 13 transmits the identification information 

15 and configuration file of the mobile station, together with 

a Binding Ack (BA: Binding Acknowledgement ) , to the firewall 
device being the device newly connected to the mobile station 
50. The Binding Ack is an acknowledgement signal as a reply 
to the Binding Update. 

20 [0034] 

Fig. 3 is an illustration showing the functional 
configuration of firewall device 20 according to the present 
invention. The firewall device 20 may be a router itself, 
including an access router, or may be a terminal dedicated 

25 to a firewall and constructed separately from the router. 

As shown in Fig. 3, the firewall device 20 is comprised of 
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packet routing parts 21, 24 (corresponding to the 
distinguishing means) , firewall processes 221, 222, 223 
(corresponding to the retainingmeans and determining means) , 
and output buffers 23, 25. Each of the components is 
5 connected through a bus so as to be able to send and receive 

signals according to the functions of the respective 
components. 
[0035] 

When receiving the mobile station identification 
10 information and configuration file from the home agent 

apparatus 10, the packet routingpart 21 identifies a firewall 
process in which the configuration file should be set, on 
the basis of the mobile station identification information. 
When there is no pertinent firewall process, it generates 
15 a firewall process. The mobile station identification 

information and configuration file are retained in the 
firewall process thus identified or generated. The firewall 
name in the configuration file, and the routing criterion 
for the IP packet from the external network are set in the 
20 packet routing part 21. The firewall name in the 

configuration file, and the routing criterion for the IP 
packet from the mobile station are set in the packet routing 
part 24. 
[0036] 

25 Thereafter, the packet routing part 21, receiving an 

IP packet from the external network, outputs the IP packet 
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to the firewall corresponding to the destination mobile 
station in accordance with the routing criterion thus set. 
Likewise, the packet routing part 24, receiving an IP packet 
from a mobile station, outputs the IP packet to the firewall 
5 process corresponding to the source mobile station thereof 

in accordance with the routing criterion thus set. 
[0037] 

When an IP packet is transmitted in the direction from 
the external network to mobile station 50 (downward) , the 

10 firewall process 221 acquires the destination IP address 

and source IP address for filtering, according to the steps 
of procedure indicated below by 1 to 3, from the IP packet 
acquired from the packet routing part 21, prior to the 
determination on the propriety of passage. 

15 [0038] 

1. Where the IP packet is transmitted in the 
bidirectional tunnel mode, i.e., in the case where the source 
address of the outside IP packet is the home agent address, 
where the destination address is a c/o address, and where 

20 the IP packet contains an IP packet, the firewall process 

221 acquires the internal IP packet and applies the steps 
of 2 and 3 below to the IP packet thus acquired. On the other 
hand, where the IP packet is transmitted in the other mode 
than the bidirectional tunnel mode, the firewall process 

25 221 applies the steps of 2 and 3 below to the original IP 

packet acquired from the packet routing part 21. 
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[0039] 

2. Where the IP packet is transmitted to the mobile 
station 50 in the route optimization mode, i.e., in the case 
where the destination address of the IPpacket is a c/o address, 

5 where the routing header exists, and where the second 

destination set in the routing header is a home address, 
the firewall process 221 uses thehome address as a destination 
IP address for filtering. On the other hand, where the IP 
packet is transmitted to the mobile station 50 in the other 
10 mode than the route optimization mode, the firewall process 

221 uses the destination address of the IP packet as a 
destination IP address for filtering as it is. 
[0040] 

3. Where the IP packet is transmitted from a mobile 
15 IP terminal in the route optimization mode, i.e., in the 

case where the source address of the IP packet is a c/o address 
and where the home address option is set, the firewall process 
221 uses the address set in the home address option as a 
source IP address for filtering. On the other hand, where 
2 0 the IP packet is transmitted from the mobile IP terminal 

in the other mode than the route optimization mode, the 
firewall process 221 uses the source address of the IP packet 
as a source IP address for filtering as it is. 
[0041] 

25 When an IP packet is transmitted in the direction from 

mobile station 50 to the external network (upward) , the 



19 



FP03-0259-00 



firewall process 221 acquires the destination IP address 
and source IP address for filtering, according to the steps 
of procedure indicated below by 1 to 3, from the IP packet 
acquired from the packet routing part 24, prior to the 
5 determination on the propriety of passage* 

[0042] 

1. Where the IP packet is transmitted in the 
bidirectional tunnel mode, i.e., in the case where the source 
address of the outside IP packet is a c/o address, where 

10 the destination address is the home agent address, and where 

the IP packet contains an IP packet, the firewall process 
221 acquires the internal IP packet and applies the steps 
of 2 and 3 below to the IP packet thus acquired. On the other 
hand, where the IP packet is transmitted in the other mode 

15 than the bidirectional tunnel mode, the firewall process 

221 applies the steps of 2 and 3 below to the original IP 
packet acquired from the packet routing part 24. 
[0043] 

2. Where the IP packet is transmitted 'to a mobile IP 
2 0 terminal in the route optimization mode, i.e., in the case 

where the routing header exists in the IP packet, the firewall 
process 221 uses the second destination set in the routing 
header, as a destination IP address for filtering. On the 
other hand, where the IP packet is transmitted to the mobile 
25 IP terminal in the other mode than the route optimization 

mode, the firewall process 221 uses the destination address 
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of the IP packet as a destination IP address for filtering 
as it is* 
[0044] 

3. Where the IP packet is transmitted from mobile 
5 station 50 in the route optimization mode, i.e., in the case 

where the source address of the IP packet is a c/o address 
and where the home address option is set, the firewall process 
221 uses the address set in the home address option, as a 
source IP address for filtering. On the other hand, where 
10 the IP packet is transmitted from mobile station 50 in the 

other mode than the route optimization mode, the firewall 
process 221 uses the source address of the IP packet as a 
source IP address for filtering as it is. 
[0045] 

15 Furthermore, the firewall process 221 uses the 

destination IP address and source IP address for filtering 
acquired in the above procedure, to determine the propriety 
of passage of the IP packet routed by the packet routing 
part 21, according to the filtering condition described in 

20 the access control list in the configuration file. An IP 

packet permitted to pass is outputted to the output buffer 
23, while an IP packet denied is discarded. This permits 
the firewall process 221 to implement filtering of any IP 
packet the destination or source of which is themobile station 

25 50. 

[0046] 
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The firewall process 222 has the same functional 
configuration as the firewall process 221 described above. 
Namely, the firewall process 222 retains the identification 
information and configuration file of mobile station 60 (not 
5 shown) being another mobile station different from the mobile 

station 50, and implements filtering of an IP packet with 
the destination or source address being the mobile station 
60. The firewall process 223 is also similarly configured 
to retain the identification information and configuration 
10 file of mobile station 70 (not shown) being still another 

mobile station and implement filtering of an IP packet with 
the destination or source being the mobile station 70. 
[0047] 

The output buffer 23 transmits (or forwards) an IP 
15 packet fed from one of the firewall processes 221-223, through 

a radio channel to a mobile station being the destination 
of the IP packet. 
[0048] 

The packet routing part 24 has the same functional 
20 configuration as the packet routing part 21 described above, 

but is different in the transmitting direction of the IP 
packet from the packet routing part 21. Namely, the packet 
routing part 21 receives the IP packet from the external 
network such as the Internet established on the home agent 
25 apparatus 10 side, whereas the packet routing part 24 receives 

the IP packet transmitted from the mobile station 50 side. 
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[0049] 

The output buffer 25 transmits (or forwards) an IP 
packet fed from one of the firewall processes 221-223, to 
a destination node of the IP packet. 
5 The firewall devices 30, 40 are different in the 

installation location from the firewall device 20, but are 
constructed in much the same manner as to the configuration 
as the aforementioned firewall device 20 is. Therefore, the 
description of them is omitted herein. 

10 [0050] 

Themobile station 50 is amobile node pursuant to Mobile 
IPv6. In conjunction with a power-on operation or a 
reconnection after a long-term disconnection, the mobile 
station 50 is wirelessly connected to a firewall device with 

15 the highest reception level out of the firewall devices 20-40 . 

Although it is assumed in the present embodiment, 
particularly, that the mobile station 50 is newly connected 
(or initially connected) to the firewall device 20 in the 
communication control system 1,. it is a matter of course 

20 that the mobile station can change its connected device (or 

be handed over) to another firewall device with migration 
thereof. 
[0051] 

After the mobile station 50 is connected to the firewall 
25 device, it transmits the aforementioned Binding Update via 

the connected firewall device to the home agent apparatus 
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10. The mobile station 50 receives the aforementioned 
Binding Ack transmitted from home agent apparatus 10. 
[0052] 

The operation of communication control system 1 will 
5 be described below with reference to Figs. 4 and 5. In 

addition thereto, each of steps constituting the data 
communication method according to the present invention will 
be described. 

Fig. 4 is a flowchart for explaining the firewall 
10 construction processing executed and controlled by 

communication control system 1 . 
[0053] 

First, at SI, in conjunction with a power-on operation 
or a reconnection after a long-term disconnection, the mobile 
15 station 50 is wirelessly connected to firewall device 20 

with the highest reception level (normally located nearest) 
out of the firewall devices 20 to 40. 
[0054] 

At 32, the mobile station 50 transmits the Binding 
20 Update to home agent apparatus 10 in order to notify that 

the wireless connection with the firewall device 20 is 
completed, in accordance with the conventional connection 
procedure of Mobile IPv6. This Binding Update contains at 
least the identification information of mobile station 50 
25 being the source. 

[0055] 
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At S3, the home agent apparatus 10 makes the BU receiver 
12 receive the Binding Update transmitted from the mobile 
station 50. 

At 34, the home agent apparatus 10 makes the 
5 configuration file transmitter 13 acquire the identification 

information and the corresponding configuration file source 
data of the mobile station 50 from the configuration file 
source data storage 11, based on the identification 
information of the source mobile station in the above Binding 
10 Update. 

[0056] 

At S5, the home agent apparatus 10 makes the 
configuration file transmitter 13 generate the configuration 
file according to the steps of procedure indicated below 
15 by I-V, on the basis of the configuration file source data 

acquired at S4. 
[0057] 

I. To copy the firewall name from the configuration 
file source data. 
20 II. To set a c/o address as a "routing criterion for 

the IP packet from the external network." 

Ill . To set a home address and a c/o address as a "routing 
criterion for the IP packet from the mobile station, " where 
the source IP address is designated to be used as a routing 
25 criterion; or to copy the MAC address in the configuration 

file source data as a "routing criterion for the IP packet 

I 

25 



FP03-0259-00 



from the mobile station, " where the source MAC address is 
designated to be used as a routing criterion. 

IV. To replace a portion designated for rewriting on 
a list as a source of the access control list, with a c/o 

5 address, and set the resultant as an "access control list." 

V. To set the IP address of the home agent as a "home 
agent address." 

[0058] 

At S6, the home agent apparatus 10 makes the 
10 configuration file transmitter 13 attach the identification 

information of the mobile station 50 acquired at S4 and the 
configuration file generated at S5, to the Binding Ack and 
transmit it to the mobile station 50. 
[0059] 

15 The present embodiment was described above on the 

assumption that the configuration file was generated and 
transmitted by the home agent apparatus 10. However, it is 
also possible to adopt a configuration wherein the home agent 
apparatus 10 transmits the configuration file source data 

20 to the firewall apparatus and the firewall apparatus 

generates the configuration file on the basis of the 
configuration file source data. 
[0060] 

Since the mobile station 50 is connected to the firewall 
25 device 20, the Binding Ack directed to the mobile station 

50 naturally passes the firewall device 20. At S7, the 
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firewall device 20 acquires the identification information 
and configuration file of the mobile station 50 which are 
attached to the Binding Ack in process of transmission. 

At S8, the mobile station 50 receives the Binding Ack 
5 and this completes the location registration of the mobile 

station 50 with the home agent apparatus 10. At this time, 
the mobile station 50 may receive the foregoing configuration 
file along with the Binding Ack. 
[0061] 

10 The mobile station identification information and 

configuration file were assumed to be transmitted on the 
Binding Ack, but they may be transmitted separately from 
the Binding Ack. Namely, the home agent apparatus 10 
determines the prefix of the firewall device 20 connected 

15 to the mobile station 50, based on the c/o address of the 

Binding Update and multicasts the configuration file to all 
the firewall devices on the network indicated by the prefix. 
Thereafter, the home agent apparatus 10 transmits the Binding 
Ack to the mobile station 50. 

20 [0062] 

At S9, the firewall device 20 generates the firewall 
process 221 for the mobile station 50, using the 
identification information and configuration file of the 
mobile station 50 acquired at S7. The generation of the 

25 firewall at S9 is to customize the process of executing the 

access control list in the configuration file, so as to adapt 
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to a specific mobile station. On the occasion of the 
generation of the firewall, the above process is initialized 
(to set internal variables ) if necessary, and if an operation 
condition before movement exists in the configuration file, 
5 it is set into the internal variables of the above process. 

[0063] 

At SIO, the firewall device 20 acquires the firewall 
name and routing criteria from the configuration file 
acquired at SI, and sets them in the packet routing parts 
10 21 and 24. 

The above described the process of constructing the 
firewall applied to the mobile station 50, but the firewalls 
applied to the mobile stations 60, 70 are also constructed 
through similar steps. 
15 [0064] 

Subsequently, the IP packet filtering processing 
executed and controlled by the firewall device 20 after the 
construction of the firewall will be described with reference 
to Fig. 5. 

20 The description below will be predicated on a case where 

an IP packet is transmitted in the direction from the home 
agent 10 to the mobile station 50 (downward) , but it is also 
noted that similar processing can be executed where the IP 
packet is transmitted in the opposite direction thereto 

25 (upward) . 

[0065] 
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At Tl, the packet routing part 21 monitors whether or 
not an IP packet is received. 

At T2, the packet routing part 21 identifies the 
destination IP address from the header information of the 
5 IP packet and outputs the IP packet to a routed address of 

the firewall corresponding to the mobile station having the 
destination address. For example, where the destination IP 
address of the IP packet is the IP address of the mobile 
station 50, the IP packet is routed to the firewall process 
10 221. 

[0066] 

At this time, there is a conceivable situation that 
the firewall as a routed address of the received IP packet 
is not generated yet. In this case, a preset process 

15 (hereinafter referred to as a "default process" ) is executed. 

The default process is, for example, such that the firewall 
device 2*0 checks the description content of the IP packet 
and if the description content is the Binding Update to the 
home agent apparatus 10, the firewall device transmits the 

20 packet to the home agent apparatus 10. If the description 

content is not the Binding Update, the IP packet is discarded 
at that point. 
[0067] 

At T3, the firewall process 221 determines the propriety 
25 of passage of the IP packet, based on the above process 

generated at S9 in Fig. 4. The firewall process 221 may be 
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configured to execute the processes including setting of 
passage priority order, inspection of authentication 
information, change of the description content, etc,, is 
addition to the passage propriety determining process of 
5 the IP packet. 

[0068] 

When the determination at T3 results in permitting 
passage (T4; Yes), the firewall process 221 makes the IP 
packet outputted to and retained in the output buffer 23 
10 (T5) . Then at T6 the IP packet retained in the output buffer 

23 is transmitted via a radio channel connecting the firewall 
device 20 and the mobile station 50, to the mobile station 
50. 

[0069] 

15 On the other hand, when the determination at T3 results 

in denying passage (T4;No), the firewall process 221 deletes 
the IP packet (T7) . At this time, the home agent apparatus 
10 being the source of the IP packet may be notified of the 
deletion of the IP packet. 

20 [0070] 

After completion of the process of T6 or T7, the firewall 
device 20 returns to Tl to await reception of a further IP 
packet, and again executes the processes at and after Tl. 
The above described the process in which the 

25 communication control system 1 performed the filtering for 

the IP packet addressed to the mobile station 50, and it 
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is noted that the filtering process for the IP packets 
addressed to the mobile stations 60, 70 can also be executed 
through similar steps. This makes it feasible to perform 
the fast and appropriate passage propriety determination 
5 about IP packets addressed to all the mobile stations for 

which the dedicated firewalls are generated. 
[0071] 

As described above, the communication control system 
1 according to the present invention is configured to place 

10 the firewall at the location of the terminal to which the 

mobile station canbe directly connected . When the home agent 
apparatus 10 receives the Binding Update transmitted from 
an arbitrary mobile station, it transmits the configuration 
file of the firewall suitable for the mobile station to the 

15 firewall device . The firewall device generates the firewall 

suitable for the mobile station, using the configuration 
file. This results in constructing the firewall for the 
mobile station in any firewall device connected to the mobile 
station, whereby it becomes feasible to apply the firewall 

20 function to any moving terminal. 

[0072] 

It is expected herein that the application of the 
firewall function to mobile equipment astronomically 
increases the volume of described data in the access control 
25 list designating the filtering condition, with increase in 

the nuinber of users utilizing the mobile equipment. On the 
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other hand, on the occasion of determining the propriety 
of passage of each packet, the firewall apparatus perforins 
collation between the header information and the condition 
in order from the top row in the access control list. For 
5 this reason, there is concern that the increase of the voliime 

of described data results in increasing the processing time 
of the passage propriety determination and increasing the 
transmission delay time of the packet. 
[0073] 

10 An effective means for clearing up such concern is that 

the firewall apparatus uses different filtering conditions 
for respective mobile stations. A possible technique of 
changing the filtering conditions for the respective mobile 
stations is to change physical interfaces for the respective 

15 mobile stations. It is, however, extremely difficult to 

apply this technique to the case where the same physical 
interface is shared among a number of mobile stations, like 
layer 2 connection typified by wireless LANs . 
[0074] 

20 In order to change the filtering conditions for the 

respective mobile stations, the firewall apparatus, 
receiving a packet, distinguishes the mobile station as a 
destination of the packet and properly changes the firewall 
applied to the packet, according to the result of the 

25 distinguishing operation. This prevents unnecessary 

passage propriety determinations from being made on mobile 
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stations to which the packet cannot be transmitted. 
Accordingly, increase is suppressedin the transmission delay 
time of the packet due to the increase of the number of mobile 
stations. As a result, it becomes feasible to apply the 
5 firewall function to the mobile equipment, without decrease 

in the speed of the forwarding process . 
[0075] 

Second Embodiment 

The second embodiment of the present invention will 
10 be described below in detail with reference to the drawings. 

The first embodiment was based on the case where the 
mobile station 50 was initially connected to the firewall 
apparatus in the communication control system 1. For this 
reason, the firewall apparatus operated to receive and use 
15 the configuration file generated by the home agent apparatus . 

In contrast to it, the present embodiment is predicated on 
the case where the mobile station 50 moves to be changed 
(handed) over to another firewall device as a connected 
device, and the new firewall device after movement receives 
20 and uses the configuration file retained in the preceding 

firewall device before movement. 
[0076] 

The communication control system in the present 
embodiment will be described below in detail. 
25 The configuration of the communication control system 

in the present embodiment is much the same as the configuration 
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of the communication control system detailed in the first 
embodiment. Therefore, each component will be denoted by 
the same reference symbol, without description thereof . The 
present embodiment is based on the assumption that the mobile 
5 station 50 changes its connected point from the firewall 

device 20 to the firewall device 30. 
[0077] 

The firewall construction processing executed by the 
communication control system 1 will be described below with 
10 reference to Fig. 6. 

When the mobile station 50 changes its connected 
firewall device (Sll) , it sends the Binding Update to the 
home agent apparatus 10 (S12) . 

Receiving the Binding Update from the mobile station 
15 50 (S13) , the home agent apparatus 10 transmits the IP address 

of the preceding firewall device 20 to the new firewall device 
30 (S14) . The home agent apparatus 10 was notified of this 
IP address together with a Binding Update when the mobile 
station 50 was connected to the firewall device 20, i.e., 
2 0 before the movement. 

[0078] 

The firewall device 30 receives the IP address of the 
firewall device 20 {S15) , and in conjunction therewith, it 
transmits a request for forwarding of the configuration file 
25 for mobile station 50, to the received address (S16) . 

The firewall device 20 receives the forwarding request 
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from the firewall device 30 (S17) , and then it transmits 
the identification information and configuration file of 
the mobile station 50 having been retained in the firewall 
process 221, to the firewall device 30 (518) . 
5 [0079] 

The firewall device 30 receives the identification 
information and configuration file of mobile station 50 from 
the firewall device 20 (S19) , and then generates the firewall 
for mobile station 50, using the configuration file (S20) . 
10 Thereafter, processing similar, to SIO shown in Fig. 

4 is carried out. Namely, the firewall name and routing 
criterion are set in the packet routing part 21. 
[0080] 

As described above, the mobile station 50 sends the 
15 Binding Update to the home agent apparatus 10 in conjunction 

with a handover. Accordingly, the location of the firewall 
having the filtering condition suitable for the mobile 
station is variably controlled with every change of the 
firewall device connected to the mobile station 50, i.e., 
20 with every movement of the mobile station 50. As a result, 

the firewall traclcs the displacement of the mobile station 
50, whereby it becomes feasible to apply the firewall function 
to any moving terminal . 
[0081] 

25 There are a variety of conceivable forms as techniques 

of constructing the firewall at the location after movement 
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of the mobile station 50, but it is preferable to divert 
the existing configuration file in the preceding firewall 
device to the new firewall device, in terms of minimizing 
the communication load to implement efficient firewall 
5 construction. Namely, the new firewall device 30 acquires 

the IP address of the firewall device already having retained 
the configuration file of the mobile station 50, from the 
home agent apparatus 10 and then acquires the configuration 
file from the mentioned firewall device. This makes it 

10 feasible to apply the firewall function to the mobile station 

50 after movement, without execution of transmission and 
reception of the configuration file between the home agent 
apparatus 10 and the firewall device 30 . Since the IP address 
has the lower volume of data than the configuration file, 

15 it is feasible to decrease the communication load on the 

communication control system 1 . 
[0082] 

Third Embodiment 

The third embodiment as still another mode where the 
20 mobile station 50 moves to change its connected firewall 

device will be described below in detail with reference to 
the drawings. The configuration of the communication 
control system in the present embodiment is much the same 
as the configuration of the communication control system 
25 detailed in the first embodiment and thus each component 

will be denoted by the same reference symbol, without 
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description thereof. The present embodiment is also based 
on the assumption that the mobile station 50 is handed over 
from the firewall device 20 to the firewall device 30, as 
the second embodiment was. 
5 [0083] 

The firewall construction processing executed by the 
communication control system 1 will be described below with 
reference to Fig. 7. 

The firewall construction processing executed by the 
10 communication control system 1 in the present embodiment 

includes a plurality of steps common to the firewall 
construction processing detailed in the second embodiment 
(cf . Fig. 6) . Specifically, the steps of S21-S23, S29, S30, 
and subsequent processing in Fig. 7 are equivalent to those 
15 of S11-S13, S19, S20, and subsequent processing, 

respectively, shown in Fig. 6. 
[0084] 

S24-S28 (processes in heavy--line blocks in Fig. 7), 
which are the specific steps in the present embodiment, will 

20 be described below. Namely, in conjunction with the 

reception of the Binding Update from the mobile station 50, 
the home agent apparatus 10 transmits a request for forwarding 
of the configuration file for mobile station 50, to the 
preceding firewall device 20 (S24) . 

25 The firewall device 20 receives the forwarding request 

from the home agent apparatus 10 (S25) , and then transmits 
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the identification information and configuration file of 
mobile station 50 having been retained in the firewall process 
221, once to the home agent apparatus 10 (S26) . 
[0085] 

5 The home agent apparatus 10 receives the identification 

information and configuration file of mobile station 50 from 
the firewall device 20 (S27), and then transmits (or forwards) 
these information to the new firewall device 30 (S28) . 
Thereafter, processing similar to S19 shown in Fig. 6 is 
10 carried out. Namely, the firewall name and routing criteria 

are set in the packet routing parts 21 and 24. 

By adopting this configuration, the communication 
control system 1 is able to variably control the location 
of the firewall and make the firewall track the movement 
15 of the mobile station 50 from the old device to the new device . 

[0086] 

Fourth Embodiment 

The fourth embodiment as still another mode where the 
mobile station 50 moves to change its connected firewall 

20 device will be described below in detail with reference to 

the drawings. The configuration of the communication 
control system in the present embodiment is much the same 
as the configuration of the communication control system 
detailed in the first embodiment, and thus each component 

25 will be denoted by the same reference symbol, without 

description thereof. The present embodiment is based on the 
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assumption that the mobile station 50 is handed over from 
the firewall device 20 to the firewall device 30, as the 
second and third embodiments were. 
[0087] 

5 The firewall construction processing executed by the 

communication control system 1 will be described below with 
reference to Fig. 8. 

The firewall construction processing executed by the 
communication control system 1 in the present embodiment 
10 includes a plurality of steps common to the firewall 

construction processing detailed in the third embodiment 
{cf. Fig. 7). Specifically, the steps of S31-S35, S37, S38, 
and subsequent processing in Fig. 8 are equivalent to those 
of S21-S25, S29, S30, and subsequent processing, 
15 respectively, shown in Fig. 7. 

[0088] 

S36 (a process in a heavy-line block in Fig. 8) , which 
is the specific step in the present embodiment, will be 
described below. Namely, at S36, in conjunction with 

20 reception of the forwarding request of the configuration 

file from the home agent apparatus 10, the preceding firewall 
device 20 multicasts the identification information and 
configuration file of the mobile station 50 having been 
retained in the firewall process 221. 

25 [0089] 

Here the IP address notified of by the home agent 
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apparatus 10 is used as multicast destination addresses. 
Namely, the home agent apparatus 10 determines the prefix 
of firewall device 20 to which the mobile station 50 has 
been connected, based on the c/o address of the Binding Update 
5 received at S33, and selects all the firewall devices on 

the network indicated by the prefix, as multicast 
destinations . Thereafter, the home agent apparatus 10 sends 
the IP addresses of the multicast destinations selected, 
together with the forwarding request to the firewall device 
10 20. This permits the firewall device 20 to execute the 

multicast to the other firewall devices 30, 40 in the system. 
[0090] 

The identification information and configuration file 
of the mobile station 50, which were multicast from the 
15 firewall device 20, are received by the firewall device 30 

on the above network, and are used for generation of the 
firewall . The identification information and configuration 
file of the mobile station 50, which were multicast to the 
firewall device 40, can be used for generation of the firewall 
20 if the mobile station 50 changes its connected device to 

the firewall device 40. 

By adopting this configuration, the communication 
control system 1 is also able to variably control the location 
of the firewall and make the firewall track the movement 
25 of the mobile station 50 from the old device to the new device . 

[0091] 
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Fifth Embodiment 

The fifth embodiment as still another mode where the 
mobile station 50 moves to change its connected firewall 
device will be described below in detail with reference to 
5 the drawings. The configuration of the communication 

control system in the present embodiment is much the same 
as the configuration of the communication control system 
detailed in the first embodiment and thus each component 
will be denoted by the same reference symbol, without 
10 description thereof* The present embodiment is based on the 

assumption that the mobile station 50 is handed over from 
the firewall device 20 to the firewall device 30, as the 
second to fourth embodiments were. 
[0092] 

15 The firewall construction processing executed by the 

communication control system 1 will be described below with 
reference to Fig. 9. 

The firewall construction processing executed by the 
communication control system 1 in the present embodiment 

20 includes a plurality of steps common to the firewall 

construction processing detailed in the second embodiment 
(cf. Fig. 6). Specifically, the steps of S41, S44, S45-S49, 
and subsequent processing in Fig. 9 are equivalent to those 
of Sll, S13, S16-S20, and subsequent processing, 

25 respectively, shown in Fig. 6. 

[0093] 
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S42 and S43 (processes in heavy-line blocks in Fig. 
9) , which are the specific steps in the present embodiment, 
will be described below. Namely, at S42, the mobile station 
50 transmits a Binding Update, and the configuration file 
5 having been transmitted from the home agent apparatus 10 

before the movement (which will be referred to hereinafter 
as "old configuration file"), to the home agent apparatus 
10. 

[0094] 

10 At S43, the new firewall device 30 refers to the old 

configuration file to acknowledge the IP address of the 
preceding firewall device 20. This permits the firewall 
device 30 to identify an address for a request for forwarding 
of the identification information and configuration file 

15 of mobile station 50. Subsequently, the firewall device 30 

receives the identification information and configuration 
file from the firewall device 20 of the forwarding request 
address, and generates the firewall for the mobile station 
50. Therefore, it becomes feasible to variably control the 

20 location of the firewall and make the firewall track the 

movement of the mobile station 50. 
[0095] 

As described above, the second to fifth embodiments 
were configured to forward the information of the 
25 configuration file and others from the preceding firewall 

device to the new firewall device, and the purposes of this 
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operation are as follows. 
[0096] 

The first purpose is to take over the state if the 
firewall device has internal state or global variables • For 
5 example, the mobile station operates as follows: upon 

reception of a connect signal of TCP (Transmission Control 
Protocol), it stores data about TCP; upon reception of a 
disconnect signal of TCP, it deletes data; and upon reception 
of data during periods except for communication periods, 
10 it discards the data. Where this operation is applied to 

the mobile station, it is necessary to hand over the data 
stored in the mobile station to the new access point after 
movement . 
[0097] 

15 The second purpose is to minimize forwarding of 

information. Namely, the information about the access 
control list, even for a single mobile station, can have 
high volume of data. The home agent apparatus is often 
located at the position far from the mobile station (or the 

20 firewall device) , whereas upon a handover the new firewall 

device is more likely to be located at the position extremely 
near to the preceding firewall device. For this reason, the 
load on the network can be reduced by transmitting the 
information from the preceding firewall device to the new 

25 firewall device, as in the second, fourth, and fifth 

embodiments . 
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[0098] 

The present invention is by no means intended to be 
limited to the above embodiments, but a variety of 
modifications can be adopted according to necessity without 
5 departing from the spirit and scope of the present invention. 

For example, the main element of generating and transmitting 
the configuration file of the firewall was the home agent 
apparatus in the embodiments, but it may be a server apparatus 
configured separately from the apparatus having the home 
10 agent function. 

[0099] 

Inparticular, where the RADIUS (Remote Authentication 
Dial-In User Service) authentication is carried out for the 
mobile station, the movement of the mobile station can be 
15 detected upon the authentication, and thus the RADIUS server 

maybe configured to generate and transmit the configuration 
file. 
[0100] 

The following will describe a mode in which the RADIUS 
20 server is used in place of the home agent apparatus. Since 

RADIUS is the technology standardized by RFC28 65, the 
detailed description thereof is omitted herein, and the 
fundamental procedure will be first describedbrief ly . When 
a remote access apparatus receives a request for remote 
25 dial-up access from a user terminal, the remote access 

apparatus transmits an access request message to the RADIUS 
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server. Normally, this access request message contains a 
user ID and a password entered at the user terminal. The 
RADIUS server verifies the user on the basis of the user 
ID and password and sends a reply message according to the 
5 result of the verification (an access permission message 

or an access re jectionmessage) . The remote access apparatus 
performs execution of the remote access or disconnection 
of the dial-up access in accordance with this message. 
[0101] 

10 The protocol defining the above procedure was expanded 

as follows . One expansion is to place various data on a packet 
as an access permission message . The various data includes, 
for example, a maximum time available for the remote access 
of the user terminal, an IP address to be used, a filtering 

15 ID, and so on. Another expansion is to apply the RADIUS to 

the other operations than the remote access. For example, 
if a wireless LAN base station is used instead of the remote 
access apparatus, the RADIUS can be used for authentication 
of users of wireless LAN. 

20 [0102] 

The following will describe the configuration and 
operation of the communication control system to which the 
RADIUS is applied, taking the above expansion techniques 
into account . The communication control system is comprised 

25 of at least amobile station, a firewall apparatus also serving 

as a radio base station (a base station and firewall) , and 
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a RADIUS server. The mobile station, receiving broadcast 
information, sends a request for connection to the base 
station, to the base station and firewall being the source 
of the broadcast information. The base station and firewall, 
5 receiving the connection request, sends an access request 

to the RADIUS server. 
[0103] 

The RADIUS server, receiving the access request, 
performs user verification about the mobile station. When 

10 the verification results in obtaining a permission of access, 

the server generates the configuration file of the firewall 
for the mobile station. Then the server places the 
configuration file on the access permission message (packet) 
and sends it to the base station and firewall. The base 

15 station and firewall initializes the firewall process with 

reference to the configuration file and thereafter permits 
the mobile station to be connected to the base station. 
[0104] 

Namely, the mobile station acquires a permission of 
20 communication with a radio base station in a new communication 

area upon every movement and, with accpaisition of the 
communication permission, the firewall is set in the radio 
base station. The operation of the RADIUS server about the 
setting of the firewall is similar to the operation of the 
25 home agent apparatus detailed in each of the above 

embodiments, and thus the description thereof is omitted 
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herein. 
[0105] 

Moreover, the mobile station was described as a single 
device in the embodiments of the invention, but it may be 
5 a mobile network in which a plurality of devices are connected 

through links. In this case, the plurality of devices move 
simultaneously and similarly, and they are acknowledged as 
a single terminal by the external network such as the Internet . 
A device to connect the mobile network to the external network 
10 is, for example, a router. 

[0106] 

From the invention thus described, it will be obvious 
that the embodiments of the invention may be varied in many 
ways. Such variations are not to be regarded as a departure 
15 from the spirit and scope of the invention, and all such 

modifications as would be obvious to one skilled in the art 
are intended for inclusion within the scope of the following 
claims . 
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